Charles McCathieNevile wrote:
>
> Hi folks,
>
> at
> http://dev.w3.org/cvsweb/~checkout~/2006/webapi/progress/Progress.html?rev=1.24
> you will find a new draft of the progress events spec, for your
> delectation...
So the spec says that for HEAD requests the size should include the size
of headers. I just realized that this might be a security issue.
The headers can include the users password, many times in clear text. If
a site knows the size of the default headers for a given implementation,
it can figure out the size of the users password by subtracting the
default size from the size reported from the 'load' event from a HEAD
request.
/ Jonas